mirror of
https://github.com/phpbb/phpbb.git
synced 2025-07-31 14:00:31 +02:00
some changes for the new version
- it would be nice if anyone able would be testing these changes on their installations and report bugs as soon as possible (also do not hestitate to PM the developers. ;)). - the changelog is ommitted for now - it will get checked in later. git-svn-id: file:///svn/phpbb/branches/phpBB-2_0_0@6772 89ea8834-ac86-4346-8a33-228a782c2dd0
This commit is contained in:
Meik Sievertsen
@@ -917,7 +917,7 @@ function redirect($url)
|
||||
$db->sql_close();
|
||||
}
|
||||
|
||||
if (strstr(urldecode($url), "\n") || strstr(urldecode($url), "\r"))
|
||||
if (strstr(urldecode($url), "\n") || strstr(urldecode($url), "\r") || strstr(urldecode($url), ';url'))
|
||||
{
|
||||
message_die(GENERAL_ERROR, 'Tried to redirect to potentially insecure url.');
|
||||
}
|
||||
|
||||
@@ -52,84 +52,67 @@ $sql = "SELECT username, user_email, user_viewemail, user_lang
|
||||
WHERE user_id = $user_id";
|
||||
if ( $result = $db->sql_query($sql) )
|
||||
{
|
||||
$row = $db->sql_fetchrow($result);
|
||||
|
||||
$username = $row['username'];
|
||||
$user_email = $row['user_email'];
|
||||
$user_lang = $row['user_lang'];
|
||||
|
||||
if ( $row['user_viewemail'] || $userdata['user_level'] == ADMIN )
|
||||
if ( $row = $db->sql_fetchrow($result) )
|
||||
{
|
||||
if ( time() - $userdata['user_emailtime'] < $board_config['flood_interval'] )
|
||||
|
||||
$username = $row['username'];
|
||||
$user_email = $row['user_email'];
|
||||
$user_lang = $row['user_lang'];
|
||||
|
||||
if ( $row['user_viewemail'] || $userdata['user_level'] == ADMIN )
|
||||
{
|
||||
message_die(GENERAL_MESSAGE, $lang['Flood_email_limit']);
|
||||
}
|
||||
|
||||
if ( isset($HTTP_POST_VARS['submit']) )
|
||||
{
|
||||
$error = FALSE;
|
||||
|
||||
if ( !empty($HTTP_POST_VARS['subject']) )
|
||||
if ( time() - $userdata['user_emailtime'] < $board_config['flood_interval'] )
|
||||
{
|
||||
$subject = trim(stripslashes($HTTP_POST_VARS['subject']));
|
||||
message_die(GENERAL_MESSAGE, $lang['Flood_email_limit']);
|
||||
}
|
||||
else
|
||||
|
||||
if ( isset($HTTP_POST_VARS['submit']) )
|
||||
{
|
||||
$error = TRUE;
|
||||
$error_msg = ( !empty($error_msg) ) ? $error_msg . '<br />' . $lang['Empty_subject_email'] : $lang['Empty_subject_email'];
|
||||
}
|
||||
|
||||
if ( !empty($HTTP_POST_VARS['message']) )
|
||||
{
|
||||
$message = trim(stripslashes($HTTP_POST_VARS['message']));
|
||||
}
|
||||
else
|
||||
{
|
||||
$error = TRUE;
|
||||
$error_msg = ( !empty($error_msg) ) ? $error_msg . '<br />' . $lang['Empty_message_email'] : $lang['Empty_message_email'];
|
||||
}
|
||||
|
||||
if ( !$error )
|
||||
{
|
||||
$sql = "UPDATE " . USERS_TABLE . "
|
||||
SET user_emailtime = " . time() . "
|
||||
WHERE user_id = " . $userdata['user_id'];
|
||||
if ( $result = $db->sql_query($sql) )
|
||||
$error = FALSE;
|
||||
|
||||
if ( !empty($HTTP_POST_VARS['subject']) )
|
||||
{
|
||||
include($phpbb_root_path . 'includes/emailer.'.$phpEx);
|
||||
$emailer = new emailer($board_config['smtp_delivery']);
|
||||
|
||||
$emailer->from($userdata['user_email']);
|
||||
$emailer->replyto($userdata['user_email']);
|
||||
|
||||
$email_headers = 'X-AntiAbuse: Board servername - ' . $server_name . "\n";
|
||||
$email_headers .= 'X-AntiAbuse: User_id - ' . $userdata['user_id'] . "\n";
|
||||
$email_headers .= 'X-AntiAbuse: Username - ' . $userdata['username'] . "\n";
|
||||
$email_headers .= 'X-AntiAbuse: User IP - ' . decode_ip($user_ip) . "\n";
|
||||
|
||||
$emailer->use_template('profile_send_email', $user_lang);
|
||||
$emailer->email_address($user_email);
|
||||
$emailer->set_subject($subject);
|
||||
$emailer->extra_headers($email_headers);
|
||||
|
||||
$emailer->assign_vars(array(
|
||||
'SITENAME' => $board_config['sitename'],
|
||||
'BOARD_EMAIL' => $board_config['board_email'],
|
||||
'FROM_USERNAME' => $userdata['username'],
|
||||
'TO_USERNAME' => $username,
|
||||
'MESSAGE' => $message)
|
||||
);
|
||||
$emailer->send();
|
||||
$emailer->reset();
|
||||
|
||||
if ( !empty($HTTP_POST_VARS['cc_email']) )
|
||||
$subject = trim(stripslashes($HTTP_POST_VARS['subject']));
|
||||
}
|
||||
else
|
||||
{
|
||||
$error = TRUE;
|
||||
$error_msg = ( !empty($error_msg) ) ? $error_msg . '<br />' . $lang['Empty_subject_email'] : $lang['Empty_subject_email'];
|
||||
}
|
||||
|
||||
if ( !empty($HTTP_POST_VARS['message']) )
|
||||
{
|
||||
$message = trim(stripslashes($HTTP_POST_VARS['message']));
|
||||
}
|
||||
else
|
||||
{
|
||||
$error = TRUE;
|
||||
$error_msg = ( !empty($error_msg) ) ? $error_msg . '<br />' . $lang['Empty_message_email'] : $lang['Empty_message_email'];
|
||||
}
|
||||
|
||||
if ( !$error )
|
||||
{
|
||||
$sql = "UPDATE " . USERS_TABLE . "
|
||||
SET user_emailtime = " . time() . "
|
||||
WHERE user_id = " . $userdata['user_id'];
|
||||
if ( $result = $db->sql_query($sql) )
|
||||
{
|
||||
include($phpbb_root_path . 'includes/emailer.'.$phpEx);
|
||||
$emailer = new emailer($board_config['smtp_delivery']);
|
||||
|
||||
$emailer->from($userdata['user_email']);
|
||||
$emailer->replyto($userdata['user_email']);
|
||||
$emailer->use_template('profile_send_email');
|
||||
$emailer->email_address($userdata['user_email']);
|
||||
|
||||
$email_headers = 'X-AntiAbuse: Board servername - ' . $server_name . "\n";
|
||||
$email_headers .= 'X-AntiAbuse: User_id - ' . $userdata['user_id'] . "\n";
|
||||
$email_headers .= 'X-AntiAbuse: Username - ' . $userdata['username'] . "\n";
|
||||
$email_headers .= 'X-AntiAbuse: User IP - ' . decode_ip($user_ip) . "\n";
|
||||
|
||||
$emailer->use_template('profile_send_email', $user_lang);
|
||||
$emailer->email_address($user_email);
|
||||
$emailer->set_subject($subject);
|
||||
|
||||
$emailer->extra_headers($email_headers);
|
||||
|
||||
$emailer->assign_vars(array(
|
||||
'SITENAME' => $board_config['sitename'],
|
||||
'BOARD_EMAIL' => $board_config['board_email'],
|
||||
@@ -139,72 +122,95 @@ if ( $result = $db->sql_query($sql) )
|
||||
);
|
||||
$emailer->send();
|
||||
$emailer->reset();
|
||||
|
||||
if ( !empty($HTTP_POST_VARS['cc_email']) )
|
||||
{
|
||||
$emailer->from($userdata['user_email']);
|
||||
$emailer->replyto($userdata['user_email']);
|
||||
$emailer->use_template('profile_send_email');
|
||||
$emailer->email_address($userdata['user_email']);
|
||||
$emailer->set_subject($subject);
|
||||
|
||||
$emailer->assign_vars(array(
|
||||
'SITENAME' => $board_config['sitename'],
|
||||
'BOARD_EMAIL' => $board_config['board_email'],
|
||||
'FROM_USERNAME' => $userdata['username'],
|
||||
'TO_USERNAME' => $username,
|
||||
'MESSAGE' => $message)
|
||||
);
|
||||
$emailer->send();
|
||||
$emailer->reset();
|
||||
}
|
||||
|
||||
$template->assign_vars(array(
|
||||
'META' => '<meta http-equiv="refresh" content="5;url=' . append_sid("index.$phpEx") . '">')
|
||||
);
|
||||
|
||||
$message = $lang['Email_sent'] . '<br /><br />' . sprintf($lang['Click_return_index'], '<a href="' . append_sid("index.$phpEx") . '">', '</a>');
|
||||
|
||||
message_die(GENERAL_MESSAGE, $message);
|
||||
}
|
||||
else
|
||||
{
|
||||
message_die(GENERAL_ERROR, 'Could not update last email time', '', __LINE__, __FILE__, $sql);
|
||||
}
|
||||
|
||||
$template->assign_vars(array(
|
||||
'META' => '<meta http-equiv="refresh" content="5;url=' . append_sid("index.$phpEx") . '">')
|
||||
);
|
||||
|
||||
$message = $lang['Email_sent'] . '<br /><br />' . sprintf($lang['Click_return_index'], '<a href="' . append_sid("index.$phpEx") . '">', '</a>');
|
||||
|
||||
message_die(GENERAL_MESSAGE, $message);
|
||||
}
|
||||
else
|
||||
{
|
||||
message_die(GENERAL_ERROR, 'Could not update last email time', '', __LINE__, __FILE__, $sql);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
include($phpbb_root_path . 'includes/page_header.'.$phpEx);
|
||||
|
||||
$template->set_filenames(array(
|
||||
'body' => 'profile_send_email.tpl')
|
||||
);
|
||||
make_jumpbox('viewforum.'.$phpEx);
|
||||
|
||||
if ( $error )
|
||||
{
|
||||
|
||||
include($phpbb_root_path . 'includes/page_header.'.$phpEx);
|
||||
|
||||
$template->set_filenames(array(
|
||||
'reg_header' => 'error_body.tpl')
|
||||
'body' => 'profile_send_email.tpl')
|
||||
);
|
||||
make_jumpbox('viewforum.'.$phpEx);
|
||||
|
||||
if ( $error )
|
||||
{
|
||||
$template->set_filenames(array(
|
||||
'reg_header' => 'error_body.tpl')
|
||||
);
|
||||
$template->assign_vars(array(
|
||||
'ERROR_MESSAGE' => $error_msg)
|
||||
);
|
||||
$template->assign_var_from_handle('ERROR_BOX', 'reg_header');
|
||||
}
|
||||
|
||||
$template->assign_vars(array(
|
||||
'ERROR_MESSAGE' => $error_msg)
|
||||
'USERNAME' => $username,
|
||||
|
||||
'S_HIDDEN_FIELDS' => '',
|
||||
'S_POST_ACTION' => append_sid("profile.$phpEx?mode=email&" . POST_USERS_URL . "=$user_id"),
|
||||
|
||||
'L_SEND_EMAIL_MSG' => $lang['Send_email_msg'],
|
||||
'L_RECIPIENT' => $lang['Recipient'],
|
||||
'L_SUBJECT' => $lang['Subject'],
|
||||
'L_MESSAGE_BODY' => $lang['Message_body'],
|
||||
'L_MESSAGE_BODY_DESC' => $lang['Email_message_desc'],
|
||||
'L_EMPTY_SUBJECT_EMAIL' => $lang['Empty_subject_email'],
|
||||
'L_EMPTY_MESSAGE_EMAIL' => $lang['Empty_message_email'],
|
||||
'L_OPTIONS' => $lang['Options'],
|
||||
'L_CC_EMAIL' => $lang['CC_email'],
|
||||
'L_SPELLCHECK' => $lang['Spellcheck'],
|
||||
'L_SEND_EMAIL' => $lang['Send_email'])
|
||||
);
|
||||
$template->assign_var_from_handle('ERROR_BOX', 'reg_header');
|
||||
|
||||
$template->pparse('body');
|
||||
|
||||
include($phpbb_root_path . 'includes/page_tail.'.$phpEx);
|
||||
}
|
||||
else
|
||||
{
|
||||
message_die(GENERAL_MESSAGE, $lang['User_prevent_email']);
|
||||
}
|
||||
|
||||
$template->assign_vars(array(
|
||||
'USERNAME' => $username,
|
||||
|
||||
'S_HIDDEN_FIELDS' => '',
|
||||
'S_POST_ACTION' => append_sid("profile.$phpEx?mode=email&" . POST_USERS_URL . "=$user_id"),
|
||||
|
||||
'L_SEND_EMAIL_MSG' => $lang['Send_email_msg'],
|
||||
'L_RECIPIENT' => $lang['Recipient'],
|
||||
'L_SUBJECT' => $lang['Subject'],
|
||||
'L_MESSAGE_BODY' => $lang['Message_body'],
|
||||
'L_MESSAGE_BODY_DESC' => $lang['Email_message_desc'],
|
||||
'L_EMPTY_SUBJECT_EMAIL' => $lang['Empty_subject_email'],
|
||||
'L_EMPTY_MESSAGE_EMAIL' => $lang['Empty_message_email'],
|
||||
'L_OPTIONS' => $lang['Options'],
|
||||
'L_CC_EMAIL' => $lang['CC_email'],
|
||||
'L_SPELLCHECK' => $lang['Spellcheck'],
|
||||
'L_SEND_EMAIL' => $lang['Send_email'])
|
||||
);
|
||||
|
||||
$template->pparse('body');
|
||||
|
||||
include($phpbb_root_path . 'includes/page_tail.'.$phpEx);
|
||||
}
|
||||
else
|
||||
{
|
||||
message_die(GENERAL_MESSAGE, $lang['User_prevent_email']);
|
||||
message_die(GENERAL_MESSAGE, $lang['User_not_exist']);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
message_die(GENERAL_MESSAGE, $lang['User_not_exist']);
|
||||
message_die(GENERAL_ERROR, 'Could not select user data', '', __LINE__, __FILE__, $sql);
|
||||
}
|
||||
|
||||
?>
|
||||
@@ -144,6 +144,7 @@ if (
|
||||
$notifyreply = ( isset($HTTP_POST_VARS['notifyreply']) ) ? ( ($HTTP_POST_VARS['notifyreply']) ? TRUE : 0 ) : 0;
|
||||
$notifypm = ( isset($HTTP_POST_VARS['notifypm']) ) ? ( ($HTTP_POST_VARS['notifypm']) ? TRUE : 0 ) : TRUE;
|
||||
$popup_pm = ( isset($HTTP_POST_VARS['popup_pm']) ) ? ( ($HTTP_POST_VARS['popup_pm']) ? TRUE : 0 ) : TRUE;
|
||||
$sid = (isset($HTTP_POST_VARS['sid'])) ? $HTTP_POST_VARS['sid'] : 0;
|
||||
|
||||
if ( $mode == 'register' )
|
||||
{
|
||||
@@ -253,6 +254,13 @@ if ( isset($HTTP_POST_VARS['submit']) )
|
||||
{
|
||||
include($phpbb_root_path . 'includes/usercp_avatar.'.$phpEx);
|
||||
|
||||
// session id check
|
||||
if ($sid == '' || $sid != $userdata['session_id'])
|
||||
{
|
||||
$error = true;
|
||||
$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . $lang['Session_invalid'];
|
||||
}
|
||||
|
||||
$passwd_sql = '';
|
||||
if ( $mode == 'editprofile' )
|
||||
{
|
||||
@@ -893,6 +901,7 @@ else
|
||||
}
|
||||
|
||||
$s_hidden_fields = '<input type="hidden" name="mode" value="' . $mode . '" /><input type="hidden" name="agreed" value="true" /><input type="hidden" name="coppa" value="' . $coppa . '" />';
|
||||
$s_hidden_fields .= '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />';
|
||||
if( $mode == 'editprofile' )
|
||||
{
|
||||
$s_hidden_fields .= '<input type="hidden" name="user_id" value="' . $userdata['user_id'] . '" />';
|
||||
|
||||
Reference in New Issue
Block a user